So you're using MD5 to encrypt your users passwords and you think it's fully secured? In this tutorial, I'll explain how to secure your MD5 passwords and how they work.

Many people think the MD5 hash string is the password but encrypted. It's in fact a 32-character hexadecimal number corresponding to the string you entered. It does not contains your password at all. But is it possible to login even if you don't know the real password? Yes...

How it works

In a PHP script, you can simply use the md5() function to generate the MD5 hash from a string.

While it might look secure and impossible to break, it's not. If 2 prefixes have the same hash, a similar prefix can be randomly generated and its going to work. So you can basically login using another password that generate the same MD5 hash. Multiple websites have the ability to reverse a MD5 hash into a usable password.

The solution is to use a Salt before generating the MD5 hash. A salt is a small string containing random characters that are not known by the user. The hash would then be generated this way: